RE: [inbox] Re: [Full-Disclosure] Anti-MS drivel
From: joe (mvp_at_joeware.net)
To: "'[Full Disclosure]'" <firstname.lastname@example.org> Date: Sun, 18 Jan 2004 17:52:43 -0500
I would be curious what exactly you and your customers are doing with your
Active Directory implementations. I have been running a 250k user global
multiple domain AD environement consisting of 9 domains across some 400
domain controllers for 3 years come April without the issues you seem to
imply are common place for you. Not one restore from backup ever. Our AD has
the crap beat out of it daily and supports Win9x-WinXP/2K3 as well as
UNIX/LINUX Kerberos Clients, OS/2, UNIX/LINUX LDAP Clients, Linux, Samba on
every known flavor of UNIX/LINUX and even Digital Equipment Systems,
PeopleSoft, etc. We process tens if not hundreds of millions of
authentications a day across the world. Probably a good 60-70k security
groups and several hundred thousand computer objects.
I don't know the size of implementations you have been playing with but I
would certainly consider my environment Enterprise Level. Any database
corruption we have ever gotten has been due to complete disk subsystem
failures and the directory stops replicating to protect itself. We fix the
disk subsystem failure, reload the machine, repromote, and it is up and
happy again. We don't really need the reload most of the time probably but
once I blow a disk system I don't trust the machine until it has been
scrubbed and reloaded. Obviously if it is a simple RAID disk blown out we
don't even think twice about that, just throw in another disk and keep going
on our merry way.
Is it perfect? No? Have I had problems? Absolutely. I probably have hit more
real non-self generated issues than a vast majority of the people who have
or ever will use it simply due to the size and the distributed nature of
what I run and probably have at least 30+ KB's generated based on what I
have found and I don't know how many hot fixes and code flow changes are due
to my experiences and riding MS for the changes. There is certainly room for
improvement and there always will be. W2K AD was a good first swipe, W2K3 AD
is better, I expect the next rev to be better yet. That is how it works.
The biggest problem to the masses with AD is that it isn't the quick plug
and play environment that the NT4 domain structure was. MS got everyone so
trained into the idea that some brain dead individual could take a couple of
simple tests, call themselves an MCSE, and be a big bad network admin that
it turned around and bit companies firing up AD as they found out MCSE
didn't mean someone knew what the hell they were talking about.
Unfortunately for just about all of the Windows Admins/Consultants out there
one actually has to understand AD a little. Knowing NT4 Domains or Windows
2000 Servers doesn't make anyone an Active Directory Admin or consultant
though some will still claim it is so. Most Windows admins and consultants
don't have that knowledge and shouldn't be playing with it in production
environments without an adult present. Getting it to run on a home PC isn't
As for a poor revisit, I have a Banyan friend who used to go off on NDS just
like you are going off on AD. I have people at work who bitch about leaving
various X.500 implementations running on Big Iron.
I guess what I am saying is that any system will run like shit if
misconfigured. Just like any system will be insecure if misconfigured.
You want to beat on a MS product that absolutely deserves to be beat on,
beat on Exchange 2000/2003. Now there is a product that defies any logic and
configuration skills and truly isn't how an Enterprise class product should
[mailto:email@example.com] On Behalf Of Curt Purdy
Sent: Sunday, January 18, 2004 4:06 PM
To: 'yossarian'; '[Full Disclosure]'
Subject: RE: [inbox] Re: [Full-Disclosure] Anti-MS drivel
And a poor revisit at that. I have had ADS crash and burn at two customers
in the last year (unfortunately no backup domain controllers - no we did not
set them up). Check out MS's knowledge base article on repairing ADS. It
is like a 50 page article that basically ends with "Re-install and restore
from tape and synch with other controllers". I have NEVER seen that happen
with DNS in all the years I've worked with Netware.
Also have seen ADS get all confused more than once in multiple domain sites
requiring either finding the server with the least corruption and making it
authoritative, or restoring from a known good backup. No way to run an
enterprise. Again, whenever a problem has shown up in NDS, a simple
DSREPAIR has always fixed everything, without fail.
Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke
Full-Disclosure - We believe in it.
Full-Disclosure - We believe in it.